CVE-2010-2746
published 2010-10-13CVE-2010-2746: Heap-based buffer overflow in Comctl32.dll (aka the common control library) in Microsoft Windows XP SP2 and SP3, Windows Server 2003 SP2, Windows Vista SP1 and…
PriorityP264high7.6CVSS 2.0
AVNACHAuNCCICAC
EXPLOIT
EPSS
36.24%
98.3th percentile
Heap-based buffer overflow in Comctl32.dll (aka the common control library) in Microsoft Windows XP SP2 and SP3, Windows Server 2003 SP2, Windows Vista SP1 and SP2, Windows Server 2008 Gold, SP2, and R2, and Windows 7, when a third-party SVG viewer is used, allows remote attackers to execute arbitrary code via a crafted HTML document that triggers unspecified messages from this viewer, aka "Comctl32 Heap Overflow Vulnerability."
Affected
1 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| microsoft | windows_server_2008 | — | — |
Detection & IOCsextracted from sources · hover to see the quote
bytes↗
transform_name = "\x21" * 65535
- →Exploit delivers a crafted SVG file with Content-Type image/svg+xml containing an oversized transform name (65535 bytes of 0x21) to trigger the heap overflow in Comctl32.dll ↗
- →Exploit server responds to HTTP GET requests matching /svg/i with Content-Type: image/svg+xml — monitor for SVG responses served from unexpected or attacker-controlled hosts triggering Comctl32 message handling ↗
- →Exploit uses a two-stage HTML+SVG delivery: initial HTML page contains a link ('CLICK ME') that fetches the malicious SVG; look for HTML pages that embed or link to SVG resources triggering Comctl32 third-party viewer messages ↗
- →Exploit listener defaults to TCP port 55555; network traffic to/from this port serving SVG or HTML content may indicate active exploitation ↗
- ·Vulnerability is only triggered when a third-party SVG viewer is installed and processes SVG content via Comctl32.dll message passing; systems without a third-party SVG viewer are not affected ↗
- ·Affected platforms are Windows XP SP2/SP3, Server 2003 SP2, Vista SP1/SP2, Server 2008 Gold/SP2/R2, and Windows 7 only ↗
- ·The exploit's default port (55555) is configurable via command-line argument, so attacker infrastructure may use any port ↗
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
No detection rules found.
No writeups or analysis indexed.
http://www.securitytracker.com/id?1024549http://www.us-cert.gov/cas/techalerts/TA10-285A.htmlhttps://docs.microsoft.com/en-us/security-updates/securitybulletins/2010/ms10-081https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A7272http://www.securitytracker.com/id?1024549http://www.us-cert.gov/cas/techalerts/TA10-285A.htmlhttps://docs.microsoft.com/en-us/security-updates/securitybulletins/2010/ms10-081https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A7272
2010-10-13
Published